From owner-freebsd-questions  Fri Aug 21 23:13:15 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA02457
          for freebsd-questions-outgoing; Fri, 21 Aug 1998 23:13:15 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from lucy.bedford.net (lucy.bedford.net [206.99.145.54])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA02445
          for <questions@FreeBSD.ORG>; Fri, 21 Aug 1998 23:13:12 -0700 (PDT)
          (envelope-from djv@lucy.bedford.net)
Received: (from djv@localhost)
	by lucy.bedford.net (8.8.8/8.8.8) id BAA06910;
	Sat, 22 Aug 1998 01:56:03 -0400 (EDT)
	(envelope-from djv)
Message-Id: <199808220556.BAA06910@lucy.bedford.net>
Subject: Re: wierd
In-Reply-To: <35DE5168.8DF53FD@vagner.com> from George Vagner at "Aug 22, 98 00:04:40 am"
To: vagner@vagner.com (George Vagner)
Date: Sat, 22 Aug 1998 01:56:03 -0400 (EDT)
Cc: djv@bedford.net, vagner@mutsgo.kf7nn.com, questions@FreeBSD.ORG
Reply-To: djv@bedford.net
From: djv@bedford.net
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

George Vagner wrote
> there was no access to the console other than myself
> ever.  how could someone install a root kit without
> root access.

Obtain a login as an ordinary user, then exploit a local way
of getting root.

A failed attempt to login locally, like "login" or "telnet localhost",
might generate such error messages.  

I'd look for activity in all system logs around the time in question,
and inspect the password database for alterations.

Of course, such messages can be faked, too.

Dave

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message